Over SMB
PsExec-like utilities
PsExec-like utilities operate under the same general principle:
Upload of a binary on the targeted system, usually through the
ADMIN$orC$Windows built-inSMBshares.Execution of the uploaded binary through the creation and execution of a Windows service, leveraging the
Service Control Manager (SCM)service through theMSRPCprotocol (SVCCTLinterface).
The aforementioned actions require the following elevated privileges on the targeted system, usually given to members of the local Administrators group: - Write permission on any network share (both NTFS and Share write permission). PsExec however requires specifically write permission to the ADMIN$ share. If necessary, a writable share can be configured remotely through the Server Service MSRPC interface. - Permissions to create (SC_MANAGER_CREATE_SERVICE) and start (SERVICE_QUERY_STATUS + SERVICE_START) Windows services.
The execution of a PsExec-like utility will notably, in addition to Security EID 4624 and EID 4672 events, generate the following Windows events:
Systemhive,EID 7045: A service was installed in the system.Securitystarting from the Windows Server 2016 and Windows 10 operating systems,EID 4697: A service was installed in the system.Systemhive,EID 7036: The <SERVICE_NAME> service entered the <running/stopped> state.
Writable network share
The smbmap Python script can be used to list the shares, and their configured permissions, on the remote system and the rpcclient utility can be used to call the NetShareAdd function of the Server Service MSRPC interface in order to create a share on the remote system.
According to the Microsoft documentation, only members of the Administrators, System Operators, or Power Users local groups can add shares using the NetShareAdd function. The Print Operator can however add printer shares.
An utility supporting the specification of the remote share to write the binary to, such as the Metasploit's exploit/windows/smb/psexec module or the Impacket's smbexec.py Python script can then be leveraged to execute code on the remote system.
PsExec-like utilities
PsExec
The PsExec CLI utility, from the Microsoft sysinternals suite and signed by Microsoft, can be used to execute commands, locally or remotely and under the current user or specified user identity.
While the use of a more complete attack framework is recommended on the attacking machine (such as Cobalt Strike, CrackMapExec or Metasploit), PsExec may be uploaded on a compromised host in order to futher reach segregated targets as it will not raise alerts against some anti-virus solutions.
PsExec uses a named pipe over the Server Message Block (SMB) protocol, which runs on TCP port 445. The utility will connect to the ADMIN$ share of the targeted host, upload the PSEXESVC.exe binary and use the Service Control Manager to start the aforementioned binary.
Note that while the name of the created service can be specified, the name of the uploaded binary cannot be changed, resulting in known forensics artefacts on the accessed system associated to the use of PsExec, such as:
A Windows
SecurityeventEID 4624: An account was successfully logged onwith itsProcess Namefield set toC:\Windows\PSEXESVC.exe.A
PSEXESVC.EXEentry in theShimcache/AmcacheA possible record in the
Master File Table (MFT)andUpdate Sequence Number Journal (USN) Journal
If an user is specified using the -u option, an interactive logon (Logon type 2) will be attempted by PsExec, resulting in the storing of the given user NTLM hash in LSASS memory. For logons attempted using the current user identity, PsExec will conduct network logon (Logon type 3).
Metasploit PsExec
The exploit/windows/smb/psexec Metasploit module can be used to execute a Metasploit payload, such as a Meterpreter, on a targeted system using a cleartext password or an NTLM hash.
This module will by default generate a service with a random name and description and allows the specification of a network share.
Impacket psexec.py
The Impacket's psexec.py Python script will upload and execute the RemComSvc service, based on the open-source RemCom project.
psexec.py present the advantage of supporting both NTLM, uisng a cleartext password or an NTLM hash, and Kerberos authentication, using a Ticket-Granting Ticket (TGT) or a service ticket for the remote machine CIFS service. For more information on how to make use of service tickets (Pass-the-Ticket), refer to the [ActiveDirectory] Kerberos - silver tickets note.
psexec.py will by default upload a binary and generate a service with a random name and allows the specification of a network share.
Additionally, psexec.py can easily be incorporated into custom Python scripts:
Invoke-SMBExec
The Invoke-SMBExec PowerShell cmdlet can be used to pass the hash over SMB in PowerShell.
The Invoke-SMBExec cmdlet will by default upload a binary and generate a service with a random name.
Fileless PsExec-like utilities
The Impacket's smbexec.py Python script and the Metasploit's exploit/windows/smb/psexec module implement a fileless variation of PsExec. Instead of uploading a binary, the created Windows service will execute Windows built-in binaries.
smbexec.py rely on %COMSPEC% (cmd.exe) and will, for each specified command, create a Windows service that echo the command in a temporary file (%TEMP%\execute.bat), then execute and ultimately delete the bat file.
The Metasploit's exploit/windows/smb/psexec module rely on both %COMSPEC% and powershell.exe and will create a Windows service that execute the specified payload (bind / reverse meterpreter, single command, etc.) through a PowerShell one-liner.
Metasploit will generate a random name for the Windows service while smbexec.py, by default, create a service named BTOBTO.
Remote Windows services
The Windows built-in utility Service Control (sc) and the Impacket's services.py Python script can be used to remotely create and start a Windows service.
Remote code execution can be achieved through a Windows service by: - Copying a binary to the targeted system and executing it through the service (PsExec-like). - Directly executing a one-liner or payload through a built-in Windows binary, such as cmd.exe.
Refer to the [General] Shells note for Windows reverse shell one-liners and scripts.
Note that if the specified binary is not a service binary (i.e. a binary implementing the LPSERVICE_MAIN_FUNCTION callback function), an error message will be raised (Error 1053: The service did not respond to the start or control request in a timely fashion.). The binary will however have been executed once, which for some payload may be sufficient (meterpreter notably).
Remote scheduled tasks
The Windows built-in utility schtasks, the Impacket's atexec.py Python script, and the Windows Task Scheduler graphical utility can be used to remotely create and start a Windows scheduled tasks.
Remote code execution can be achieved through a Windows scheduled task by: - Copying a binary to the targeted system and executing it through the scheduled task. - Directly executing a one-liner or payload through a built-in Windows binary, such as cmd.exe or powershell.exe.
Refer to the [General] Shells note for Windows reverse shell one-liners and scripts.
While schtasks does not have a "run now" option, a scheduled task can be programmed to run once and starts in a few minutes. The /Z switch can be specified to automatically delete the scheduled task after execution. It may however raise compatibility issue, in which case the scheduled task would need to be deleted manually.
atexec.py will create, run and immediately delete a scheduled task, by default with a random generated name, that execute the specified command. The scheduled task will be executed as NT AUTHORIT\SYSTEM. The command output will be stored in a temporary random file and retrieved through the ADMIN$ share.
The Windows Task Scheduler utility can be used to configure remote scheduled task through the Microsoft Management Console (MMC) utility:
Last updated